Snort mailing list archives
Re: Snort-sigs Digest, Vol 35, Issue 19
From: Bình Nguyễn via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 24 Apr 2020 09:15:08 +0700
We are using Antispam Baracuda to handle all spam emails into our system. I think it works very well. please remove this IP again. thanks Vào Th 4, 22 thg 4, 2020 vào lúc 23:01 <snort-sigs-request () lists snort org> đã viết:
Send Snort-sigs mailing list submissions to snort-sigs () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists snort org You can reach the person managing the list at snort-sigs-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Re: False positives(?) for spp_sip (Nitish Hejmadi) 2. Snort Subscriber Rules Update 2020-04-21 (Research) ---------- Forwarded message ---------- From: Nitish Hejmadi <nitishh () gmail com> To: "Pettersson, Emil" <emil.pettersson () sovos com> Cc: "snort-sigs () lists snort org" <snort-sigs () lists snort org> Bcc: Date: Mon, 20 Apr 2020 11:15:13 -0400 Subject: Re: [Snort-sigs] False positives(?) for spp_sip Could be Mis- configuration of Voip or video conferencing from clients side . Considering how many people are doing that now days . We seen a lot of blocks on our VC too Just for safety I run the blocked IP address through a automated threat hunting tool to make sure they are not targeting any other resources or services *Nitish Hejmadi* Founder & Strategist *T* *416 620 5535 <416%20620%205535> * *www.honeyteksystems.com <https://honeyteksystems.com/home>* On Apr 17, 2020, at 9:08 AM, Pettersson, Emil <emil.pettersson () sovos com> wrote: Hi, We’ve been getting a few blocks for traffic from customers, from looking into the logs if I’m understanding correctly these are getting caught by spp_sip due to traffic in these instances having source port 5060 (they’re doing a few thousand/day with random source port span). *Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} [SOURCE_IP]:5060 -> [DESTINATION_IP]:443* There is no actual SIP traffic expected to go in or out from this network, so regardless of anything else I believe there’s no real reason to have these rules enabled? However I am unsure of what the correct way would be to disable them? - This message and any attachments thereto contain information that may be privileged, confidential or otherwise protected from disclosure and is the property of Sovos Compliance, LLC. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message, any attachments thereto or any part thereof. If you receive this message in error, please delete all copies of this message and attachments. Sovos Compliance, LLC. has implemented anti-virus software on its computers and servers, however, it is the recipient's own responsibility to ensure that all attachments are scanned for viruses prior to usage. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! ---------- Forwarded message ---------- From: Research <research () sourcefire com> To: snort-sigs () lists snort org, shesu () sourcefire com Cc: Bcc: Date: Tue, 21 Apr 2020 20:24:33 GMT Subject: [Snort-sigs] Snort Subscriber Rules Update 2020-04-21 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Talos Snort Subscriber Rules Update Synopsis: This release adds and modifies rules in several categories. Details: Talos has added and modified multiple rules in the server-webapp rule sets to provide coverage for recently released 0-day vulnerabilities in IBM's Data Risk Manager product. SIDs 53733-53735. For a complete list of new and modified rules please see: https://www.snort.org/advisories -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJen1Z/AAoJEPE/nha8pb+tiikP/1etyXvV43gMIMPjdtBzv791 b3ziH3TL0vXrySUy+2I1A5TAvZ6iuqk5+8iPEfYtgdGvtpQGgUIxyCU0tX+AxBoC UjQGdiXVljbGmXIksk4cq3C6ETW4FeRLhJc0M/h9fYZsxnvjpazKtb7xnpW6kTTO 54lXTbMfS03F8fD1YD85+IsIB91rj7E7DE7B2RQ5E8iOD/gVljdjFne6Mv94xAN+ /ze2DXWbChGez4bisMfHRe/Oeb/zxEzha1RxG8b/IOUZoLNnskiNoCV0WfravdQ8 mIEfLhBWiqjmDe3HaQLVtO165GTv85r+uB88pnef1gpGHKVRKIB1rDnpW362KLXy sA/gJZeLWpNby95sJEaqe2CoZv6/vdniagIISVmqa2kpqz6GTHGnzkFI1p66F8mC /tsJBS0PkqrWvH//FtotR0MrdlNBJr9jlWI15POXV+1d2Cj+pdmvb+C/kkA2f/Ky 0gIc2jbW6Ue1TaXwheIntwbqhUrO3UagsupSoAIxnpMaceLRDSm4CK5GpPY6H778 KZM460YYq4uOIPB711PB9EDrtKMZ2kYPgwVutTbZpUiDopiy0Q0qvHNVPlvsLY5r bjwYYIUClsyluxtCvnnaojtTu77NmoI+05Knbw7IcBdXqVOxFI67wAw/1DN4yn2j 0BQ5yBg3S+vt6G4Pgkcu =SAjv -----END PGP SIGNATURE----- _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Snort-sigs Digest, Vol 35, Issue 19 Bình Nguyễn via Snort-sigs (Apr 23)